Let me be clear. I am pro-DMARC. I think you should implement DMARC. It is a valuable part of email security best practices. But I want to be "eyes wide open" about it. You should understand what it can do, and what it cannot. It is a specific solution to a specific problem. It is not a swiss army knife.
And so, to that end, here are five things that DMARC can't do.
DMARC passing can't guarantee that a message is a good one. After all, bad guys can authenticate their domains, too. While authenticated mail is still a good thing, as it's a solid bedrock on which to build a reputation for that domain based on what else you can tell about it, just remember that authentication and DMARC success, on its own, is not proof of goodness.
If you don't protect other bits of infrastructure, bad guys can still hack into email accounts or access other login paths to get access to something that would allow them to send fully authenticated phishing mail using your domain. You can't just lock the door; you've got to secure the window, too. DMARC blocks a particular spoofing vector; importantly so, but it's not the only path to delivery of phishing email content.
DMARC doesn't authenticate the "friendly from" text, the name or phrase displayed next to the email address in your email client. Bad guys could spin up a whole new authenticated domain, and send you an email that has your legitimate CEO's name in it, even if the domain doesn't match. Educate users to check email addresses and domains whenever possible.
DMARC does not guarantee inbox placement. Getting to the inbox without DMARC passing is tough nowadays. This means that DMARC is necessary for deliverability success; but it alone does not guarantee that success. Sending wanted mail, building up a good reputation, and complying with all the other modern bulk sender requirements are all required to get your email messages delivered to the inbox.
DMARC cannot protect, unless you actually pick the right policy. If you implement DMARC with a policy of "none," you're compliant with some level of modern mailbox provider bulk sender requirements. But you're not actually telling the world to do anything to stop inbox delivery of spoofed emails. You must implement DMARC with enforcement – with a policy setting of quarantine or reject, if you actually want protection, if you want Google's Gmail, Yahoo Mail, Microsoft's Outlook.com, and many other mailbox providers to scrutinize messages from your domain more closely, if they fail authentication checks.
Does that mean that DMARC is broken or useless? Heck no! DMARC is a valuable technology that successfully helps to protect your domains against phishing and spoofing. Just remember that there are multiple attack vectors that bad guys can use, and no single solution blocks every potential avenue to malicious access. And also remember, it needs to be configured correctly, to maximize what protection it can offer.
Let me be clear. I am pro-DMARC. I think you should implement DMARC. It is a valuable part of email security best practices. But I want to be "eyes wide open" about it. You should understand what it can do, and what it cannot. It is a specific solution to a specific problem. It is not a swiss army knife.
And so, to that end, here are five things that DMARC can't do.
- DMARC passing can't guarantee that a message is a good one. After all, bad guys can authenticate their domains, too. While authenticated mail is still a good thing, as it's a solid bedrock on which to build a reputation for that domain based on what else you can tell about it, just remember that authentication and DMARC success, on its own, is not proof of goodness.
- If you don't protect other bits of infrastructure, bad guys can still hack into email accounts or access other login paths to get access to something that would allow them to send fully authenticated phishing mail using your domain. You can't just lock the door; you've got to secure the window, too. DMARC blocks a particular spoofing vector; importantly so, but it's not the only path to delivery of phishing email content.
- DMARC doesn't authenticate the "friendly from" text, the name or phrase displayed next to the email address in your email client. Bad guys could spin up a whole new authenticated domain, and send you an email that has your legitimate CEO's name in it, even if the domain doesn't match. Educate users to check email addresses and domains whenever possible.
- DMARC does not guarantee inbox placement. Getting to the inbox without DMARC passing is tough nowadays. This means that DMARC is necessary for deliverability success; but it alone does not guarantee that success. Sending wanted mail, building up a good reputation, and complying with all the other modern bulk sender requirements are all required to get your email messages delivered to the inbox.
- DMARC cannot protect, unless you actually pick the right policy. If you implement DMARC with a policy of "none," you're compliant with some level of modern mailbox provider bulk sender requirements. But you're not actually telling the world to do anything to stop inbox delivery of spoofed emails. You must implement DMARC with enforcement – with a policy setting of quarantine or reject, if you actually want protection, if you want Google's Gmail, Yahoo Mail, Microsoft's Outlook.com, and many other mailbox providers to scrutinize messages from your domain more closely, if they fail authentication checks.
Does that mean that DMARC is broken or useless? Heck no! DMARC is a valuable technology that successfully helps to protect your domains against phishing and spoofing. Just remember that there are multiple attack vectors that bad guys can use, and no single solution blocks every potential avenue to malicious access. And also remember, it needs to be configured correctly, to maximize what protection it can offer.Comments
Post a Comment
Comments policy: Al is always right. Kidding, mostly. Be polite, please and thank you.